Installing Software without being Local Admin?

[Ben]

Hi,

Some of you may remember back in June I posted a topic entitled 'Network
Computer Games on Business Machines' which detailed the problem we were
having with some of our users installing software & games on their machines,
as they were local admins (against my recommendations). A number of people
posted replies, including PA Bear, Malke, Aaron etc with advice, and
recommendations including presenting the directors with a risk analysis.
Well I went on holiday the following week, and while there wrote up a fairly
long, detailed risk analysis, which I gave to our directors when I returned.

Surprisingly they actually accepted and agreed with the risk analysis, and
decided to back me in removing all users from the local admins group!

This was going well on most of our users workstations, with little or no
side effects. I decided to use VM workstation for our developers who needed
to install/uninstall development software, allowing them to be local admins
on their virtual system, but not the base system. Then we came to our
business analysis/modelers. They use a piece of business modelling software
that is quite flaky, and they have to keep installing/uninstalling and
applying fix packs to get it to work, all this means they need admin rights.
Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB
to run smoothly. These business modellers all have Dell laptops, as they are
mobile consultants, which have a max 2GB ram installed. I tried setting
these guys up with VM workstation, as local admins so they could
install/uninstall, and assigning all but 256mb of the systems ram to the
image however the modeller software ran so painfully slow, that users could
type a sentence and practically make a cup of tea before it would show up on
the screen.

Personally I don't think this software is fit for purpose due to the bugs
and crashes users have experienced, and the fact it requires nearly 2GB of
ram to run smoothly isn't practical for use on laptops, so I think we should
be looking at another product. However, the software is from one of our
business partners, and this means we have to use it. So I need to find
someway of allowing users to install fix packs/re-install the software,
without giving them full local admin access. I don't think virtualisation is
going to work because of the memory problems.

One solution I guess would be to setup a generic local admin user on all
business modeller machines, and get people to use the RUNAS command when
executing the install, however I think this maybe a little complex and
confuse some of our users, and it also risks letting those that do
understand it, install other software, or get access to areas, such as
control panel>user accounts or system, when we don't want them too!

Is there any other way we can allow users to just install specific software,
without being local admins, or giving them access to a local admin account?
How do other companies deal with issues such as this, or does this seem like
a fairly unique situation?

Any advice, recommendations much appreciated!

Ben

 

[Kerry Brown]

This may not be possible if they have to reinstall the software all the
time. The normal way to do this is to monitor the program and see what
registry keys and files the program modifies then change the permissions on
those items so that the user has modify permissions. The problem you may run
into is that uninstalling then reinstalling may reset the permissions. Here
are a couple of programs that will help with seeing what registry keys and
files the program uses.

http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx

http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

If they are running this ill behaved program on laptops you are about to hit
a roadblock that probably can't be overcome. Laptops with XP are becoming
hard to find. There will come a time where you will only be able to find
laptops with Vista. If the program is this ill behaved it is very likely it
won't work at all in Vista.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Ben" <benb@nospam.postalias> wrote in message
news:umM3uZdzHHA.1208@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Some of you may remember back in June I posted a topic entitled 'Network
> Computer Games on Business Machines' which detailed the problem we were
> having with some of our users installing software & games on their
> machines, as they were local admins (against my recommendations). A number
> of people posted replies, including PA Bear, Malke, Aaron etc with advice,
> and recommendations including presenting the directors with a risk
> analysis. Well I went on holiday the following week, and while there wrote
> up a fairly long, detailed risk analysis, which I gave to our directors
> when I returned.
>
> Surprisingly they actually accepted and agreed with the risk analysis, and
> decided to back me in removing all users from the local admins group!
>
> This was going well on most of our users workstations, with little or no
> side effects. I decided to use VM workstation for our developers who
> needed to install/uninstall development software, allowing them to be
> local admins on their virtual system, but not the base system. Then we
> came to our business analysis/modelers. They use a piece of business
> modelling software that is quite flaky, and they have to keep
> installing/uninstalling and applying fix packs to get it to work, all this
> means they need admin rights. Also this software seems to require a
> minimum of 1 & 1/2GB ram to run, 2GB to run smoothly. These business
> modellers all have Dell laptops, as they are mobile consultants, which
> have a max 2GB ram installed. I tried setting these guys up with VM
> workstation, as local admins so they could install/uninstall, and
> assigning all but 256mb of the systems ram to the image however the
> modeller software ran so painfully slow, that users could type a sentence
> and practically make a cup of tea before it would show up on the screen.
>
> Personally I don't think this software is fit for purpose due to the bugs
> and crashes users have experienced, and the fact it requires nearly 2GB of
> ram to run smoothly isn't practical for use on laptops, so I think we
> should be looking at another product. However, the software is from one of
> our business partners, and this means we have to use it. So I need to find
> someway of allowing users to install fix packs/re-install the software,
> without giving them full local admin access. I don't think virtualisation
> is going to work because of the memory problems.
>
> One solution I guess would be to setup a generic local admin user on all
> business modeller machines, and get people to use the RUNAS command when
> executing the install, however I think this maybe a little complex and
> confuse some of our users, and it also risks letting those that do
> understand it, install other software, or get access to areas, such as
> control panel>user accounts or system, when we don't want them too!
>
> Is there any other way we can allow users to just install specific
> software, without being local admins, or giving them access to a local
> admin account? How do other companies deal with issues such as this, or
> does this seem like a fairly unique situation?
>
> Any advice, recommendations much appreciated!
>
> Ben
>

 

[Malke]

Ben wrote:
> Hi,
>
> Some of you may remember back in June I posted a topic entitled 'Network
> Computer Games on Business Machines' which detailed the problem we were
> having with some of our users installing software & games on their machines,
> as they were local admins (against my recommendations). A number of people
> posted replies, including PA Bear, Malke, Aaron etc with advice, and
> recommendations including presenting the directors with a risk analysis.
> Well I went on holiday the following week, and while there wrote up a fairly
> long, detailed risk analysis, which I gave to our directors when I returned.
>
> Surprisingly they actually accepted and agreed with the risk analysis, and
> decided to back me in removing all users from the local admins group!
>
> This was going well on most of our users workstations, with little or no
> side effects. I decided to use VM workstation for our developers who needed
> to install/uninstall development software, allowing them to be local admins
> on their virtual system, but not the base system. Then we came to our
> business analysis/modelers. They use a piece of business modelling software
> that is quite flaky, and they have to keep installing/uninstalling and
> applying fix packs to get it to work, all this means they need admin rights.
> Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB
> to run smoothly. These business modellers all have Dell laptops, as they are
> mobile consultants, which have a max 2GB ram installed. I tried setting
> these guys up with VM workstation, as local admins so they could
> install/uninstall, and assigning all but 256mb of the systems ram to the
> image however the modeller software ran so painfully slow, that users could
> type a sentence and practically make a cup of tea before it would show up on
> the screen.
>
> Personally I don't think this software is fit for purpose due to the bugs
> and crashes users have experienced, and the fact it requires nearly 2GB of
> ram to run smoothly isn't practical for use on laptops, so I think we should
> be looking at another product. However, the software is from one of our
> business partners, and this means we have to use it. So I need to find
> someway of allowing users to install fix packs/re-install the software,
> without giving them full local admin access. I don't think virtualisation is
> going to work because of the memory problems.
>
> One solution I guess would be to setup a generic local admin user on all
> business modeller machines, and get people to use the RUNAS command when
> executing the install, however I think this maybe a little complex and
> confuse some of our users, and it also risks letting those that do
> understand it, install other software, or get access to areas, such as
> control panel>user accounts or system, when we don't want them too!
>
> Is there any other way we can allow users to just install specific software,
> without being local admins, or giving them access to a local admin account?
> How do other companies deal with issues such as this, or does this seem like
> a fairly unique situation?

Hi, Ben - I remember you. Congratulations on a job well done for your
company's security. I'm sure one of the security experts will have a
more elegant idea for you, but here's mine:

How many business modeler machines are we talking about? If just a few,
why not purchase laptops just for that purpose and not join them to the
domain? Keep them off the network, too or give them their own subnet if
the program needs an Internet connection. Let them run the buggy
software and nothing else. If those machines are never joined to your
network, you don't really need to worry about what the business modeler
users do. Tell the users that they are not to use the machines for
anything else, no documents, etc. If they need to backup or transfer any
data from that program, you can have them upload it to a folder or via
thumb drive or to an NAS just for them. Since I don't know anything
about how that software works and whether you need to back up stuff from
it, those are just WAGs.

In this scenario, you would set up a business modeler machine perfectly
- exactly the way you want it. Image it. Then have those machines in for
maintenance at some regular interval that makes sense to you and simply
restore the image. Voila! Clean machines again.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Ben]

"Malke" <notreally@invalid.invalid> wrote in message
news:OpVCJvfzHHA.4816@TK2MSFTNGP04.phx.gbl...
<snip>
>
> Hi, Ben - I remember you. Congratulations on a job well done for your
> company's security. I'm sure one of the security experts will have a more
> elegant idea for you, but here's mine:
>
> How many business modeler machines are we talking about? If just a few,
> why not purchase laptops just for that purpose and not join them to the
> domain? Keep them off the network, too or give them their own subnet if
> the program needs an Internet connection. Let them run the buggy software
> and nothing else. If those machines are never joined to your network, you
> don't really need to worry about what the business modeler users do. Tell
> the users that they are not to use the machines for anything else, no
> documents, etc. If they need to backup or transfer any data from that
> program, you can have them upload it to a folder or via thumb drive or to
> an NAS just for them. Since I don't know anything about how that software
> works and whether you need to back up stuff from it, those are just WAGs.
>
> In this scenario, you would set up a business modeler machine perfectly -
> exactly the way you want it. Image it. Then have those machines in for
> maintenance at some regular interval that makes sense to you and simply
> restore the image. Voila! Clean machines again.
>

Hi Malke,

That's an interesting approach, I'll have to run it past the business
modeler guys, (we have 2 spare thinkpads at the moment, so it might be a use
for them).

I can think of one reason why they might reject this approach down, and
that's weight/luggage - These guys travel a fair bit, and also carry a small
projector for presentations with them, they may not be open to the idea of
having to carry another laptop around with them.

However this all comes down to whether they actually need to have their
standard company laptop with them, maybe they can use that at home/in the
office for emails, VPN etc, then use the second laptop for modeler
development & onsite presentations.....Hmmm an interesting idea, will have
to give this serious thought - thanks!

Many thanks

Ben

 

[Ben]

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:344DC998-5500-4F76-A246-A5C2E7C1AC2A@microsoft.com...
> This may not be possible if they have to reinstall the software all the
> time. The normal way to do this is to monitor the program and see what
> registry keys and files the program modifies then change the permissions
> on those items so that the user has modify permissions. The problem you
> may run into is that uninstalling then reinstalling may reset the
> permissions. Here are a couple of programs that will help with seeing what
> registry keys and files the program uses.
>
> http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
>
> http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
>
> http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
>
> http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
>
> If they are running this ill behaved program on laptops you are about to
> hit a roadblock that probably can't be overcome. Laptops with XP are
> becoming hard to find. There will come a time where you will only be able
> to find laptops with Vista. If the program is this ill behaved it is very
> likely it won't work at all in Vista.
>

Hi Kerry,

Thanks for the reply.

Good question on the modeler/Vista compatibility, I will have to setup a
test machine and see how it runs. Probably a good idea to check it now
before it becomes an urgent requirement for us, and we find out then that
they're not compatible!

Thanks for the sysinternal links, I can see I'm going to have to spend quite
a bit of time doing some research into the files & registry keys accessed
when modeler is installed. Not an easy task! If you know anything about IBM
software you will know that they never use 1 file when 10 will do!

Thanks again

Ben

 

[Malke]

Ben wrote:

> Hi Malke,
>
> That's an interesting approach, I'll have to run it past the business
> modeler guys, (we have 2 spare thinkpads at the moment, so it might be a use
> for them).
>
> I can think of one reason why they might reject this approach down, and
> that's weight/luggage - These guys travel a fair bit, and also carry a small
> projector for presentations with them, they may not be open to the idea of
> having to carry another laptop around with them.
>
> However this all comes down to whether they actually need to have their
> standard company laptop with them, maybe they can use that at home/in the
> office for emails, VPN etc, then use the second laptop for modeler
> development & onsite presentations.....Hmmm an interesting idea, will have
> to give this serious thought - thanks!

I think your idea expanding on mine is the way to go. Load up the spare
Thinkpads with whatever these guys need when they travel, including the
buggy software. Image them. Make those the "travel laptops" and have
them leave their "work laptops" behind. Problem solved.

Oh, and I think I'd just present the new method as a fait accompli and
not discuss it with them first. -)


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User